API behavior when an instance is locked for security reasons - Elastic Compute Service

If a security event occurs on an Elastic Compute Service (ECS) instance due to security violations, such as cryptocurrency mining, fraud, harmful information, the ECS instance is locked. This topic describes the API behavior after the ECS instance is locked for security reasons.

Check whether an ECS instance is locked for security reasons

Call the DescribeInstances operation for the ECS instance. If the returned OperationLocks parameter contains LockReason: security, the ECS instance was locked for security reasons.
Log on to the ECS console and in the left navigation pane, choose Events > Instance Security Events. If instance security events appear, the ECS instance is locked. In this example, an event appears on the Events of Instances Blocked for Security Reasons tab, which indicates that the ECS instance was locked, as shown in the following figure.

API behavior

Note

API operations that are not listed in the following table are unaffected.

Operation	Impact
StartInstance	Affected and returns an error. Error code: InstanceLockedForSecurity.
StopInstance	Unaffected
RebootInstance	Affected and returns an error. Error code: InstanceLockedForSecurity.
RebootInstances	Affected and returns an error. Error code: InstanceLockedForSecurity.
DeleteInstance	Unaffected.
DeleteInstances	Unaffected.
DescribeInstanceStatus	Unaffected.
DescribeInstances	Unaffected.
DescribeInstanceTypes	Unaffected.
DescribeInstanceAttribute	Unaffected.
ModifyInstanceAttribute	Affected and returns an error. Error code: InstanceLockedForSecurity.
ModifyInstanceChargeType	Affected and returns an error. Error code: InstanceLockedForSecurity.
ModifyInstanceSpec	Affected and returns an error. Error code: InstanceLockedForSecurity.
ModifyPrepayInstanceSpec	Affected and returns an error. Error code: InstanceLockedForSecurity.
ModifyInstanceAutoReleaseTime	Affected and returns an error. Error code: InstanceLockedForSecurity.
AttachInstanceRamRole	Unaffected.
DescribeInstanceRamRole	Unaffected.
DetachInstanceRamRole	Unaffected.
DescribeInstanceVncUrl	Affected and returns an error. Error code: IncorrectInstanceStatus.
ModifyInstanceVncPasswd	Unaffected.
ModifyInstanceMetadataOptions	Unaffected.
DescribeUserData	Unaffected.
RenewInstance	Unaffected.
DescribeInstanceAutoRenewAttribute	Unaffected.
ModifyInstanceAutoRenewAttribute	Unaffected.
ReActivateInstances	Affected and returns an error.
CreateImage	Affected and returns an error when you create an image from a locked instance. Error code: InstanceLockedForSecurity.
CreateDisk	Unaffected.
DescribeDisks	Unaffected.
AttachDisk	Unaffected.
DetachDisk	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: InstanceLockedForSecurity.
ResizeDisk	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: InstanceLockedForSecurity.
ModifyDiskAttribute	Unaffected.
ModifyDiskChargeType	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: InstanceLockedForSecurity.
ModifyDiskSpec	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: InstanceLockedForSecurity.
ReplaceSystemDisk	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: InstanceLockedForSecurity.
ResetDisk	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: IncorrectInstanceStatus.
ResetDisks	Unaffected.
ReInitDisk	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: InstanceLockedForSecurity.
DeleteDisk	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: IncorrectInstanceStatus.
CreateSnapshot	Affected and returns an error if the cloud disk attached to the ECS instance is in the In Use (`In_use`) state. Error code: InstanceLockedForSecurity.
DescribeSnapshots	Unaffected.
DeleteSnapshot	Unaffected.
ModifyAutoSnapshotPolicy	Unaffected.
ModifyInstanceNetworkSpec	Affected and returns an error. Error code: InstanceLockedForSecurity.
AllocatePublicIpAddress	Affected and returns an error. Error code: InstanceLockedForSecurity.
ConvertNatPublicIpToEip	Affected and returns an error. Error code: IncorrectInstanceStatus.
ModifyInstanceVpcAttribute	Unaffected.
JoinSecurityGroup	Unaffected.
LeaveSecurityGroup	Unaffected.
AttachKeyPair	Unaffected.
DetachKeyPair	Unaffected.
RunCommand	Affected but does not return an error. The command execution fails.
InvokeCommand	Affected but does not return an error. The command execution fails.
GetInstanceScreenshot	Affected and returns an error. Error code: IncorrectInstanceStatus.
GetInstanceConsoleOutput	Affected and returns an error. Error code: IncorrectInstanceStatus.
DescribeInstanceAttachmentAttributes	Unaffected.
ModifyInstanceAttachmentAttributes	Affected and returns an error. Error code: InstanceLockedForSecurity.
DescribeInstancesFullStatus	Unaffected.
DescribeDisksFullStatus	Unaffected.
DescribeInstanceHistoryEvents	Unaffected.
CreateSimulatedSystemEvents	Unaffected.
CancelSimulatedSystemEvents	Unaffected.
AcceptInquiredSystemEvent	Unaffected.
CreateDiagnosticReport	Unaffected.
DescribeDiagnosticReports	Unaffected.
DescribeDiskMonitorData	Unaffected.
DescribeInstanceMonitorData	Unaffected.
DescribeInstanceMaintenanceAttributes	Unaffected.
ModifyInstanceMaintenanceAttributes	Unaffected.
RedeployInstance	Affected and returns an error.
ReportInstancesStatus	Unaffected.
TagResources	Unaffected.
ListTagResources	Unaffected.
UntagResources	Unaffected.
JoinResourceGroup	Unaffected.